Victor Wynne

Critical flaws in CocoaPods expose iOS and macOS apps to supply chain attacks


A trio of security flaws has been uncovered in the CocoaPods dependency manager for Swift and Objective-C Cocoa projects that could be exploited to stage software supply chain attacks, putting downstream customers at severe risks.

The vulnerabilities allow “any malicious actor to claim ownership over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and macOS applications,” E.V.A Information Security researchers Reef Spektor and Eran Vaknin said in a report published today.

The Israeli application security firm said the three issues have since been patched by CocoaPods as of October 2023. It also resets all user sessions at the time in response to the disclosures.

When I made the transition away from Objective-C to Swift development I also moved away from CocoaPods in favor of Swift packages. Talk about dodging a huge bullet. Even with no known exploits in the wild, 10 years is a long time for this to have been out there.